CFC Summit is back and going virtual on May 19th Register today!

Article January 10, 2018

Malicious Product Tamper from a Cyber vector…

Product tampering has long been necessary coverage for companies purchasing Recall policies. That’s because there has always been a risk of disgruntled employees, unhappy consumers, and even ideologically motivated extremists tampering with a product to cause bodily injury. This threat persists; as recently as late September 2017 a German extortion case saw an individual poison baby food in several supermarkets. Yet while the nature of the threat hasn’t changed much, the method of its execution has.

Readily available technology and roaring trade on the dark web allows criminals to infiltrate millions of computers and smart devices with relative ease, but the threats go far beyond our personal devices and homes. Companies are becoming increasingly aware of the fact that the rise of the ‘interconnected world’ leaves them exposed to the risk of a cyberattack from many angles, and manufacturers are by no means insulated from this trend.

An article published by Quarts in the first quarter of 2017 illustrated the dangers in the food industry, as ‘nearly every step of the food supply chain involves a smart device or sensor that connects to a centralized control system’. With ‘smart’ devices being used in the transportation, storage, and production elements, there is a systemic exposure to cyberattacks especially with relatively poor written coding making them even more vulnerable to hackers. In a worst case scenario, malicious actors could prevent shipments from arriving, contaminate products, steal trade secrets and tamper with product formulas which subsequently put the consumer in danger.

In 2016, a staggering 91 of the 122 recalls recorded by the USDA were Class 1 which means ‘there is reasonable probability that eating the food will cause health problems or even death’. Add to this the increasing rate of major global malware incidents (such as last year’s WannaCry and NotPetya) as well as a trend towards ever more targeted cyberattacks, and it becomes clear that (food) manufacturers need to step up to the challenge. The threat is very real, as much of the food industry’s processes are automated, such as food irradiation. Also called electronic pasteurization, this procedure aids the preservation of food. However, should hackers gain access to a food supply network they could introduce dangerous chemicals or change formulas to include unlisted allergens.

On the non-food side, 3D printers are being used more commonly to produce products and even automotive component parts. It’s a great leap in technology, but research has shown that 3D printers are susceptible to hacking, and as a result there is a clear risk of products being compromised during the production stages, leading to defects which in turn pose a danger to eventual users.

The following article https://techcrunch.com/2017/02/13/researchers-simulate-a-ransomware-attack-on-industrial-controls/ is an extremely interesting read which illustrates the very problem that manufacturers may face from a cyber related recall perspective. The research carried out conveys how hackers can access infrastructure systems of a water supplier, including the ability to change chlorine levels, shut down water valves and send false readings to monitoring systems. Furthermore, a group of cybersecurity researchers in early 2017 showed how hackers can cause far more serious physical sabotage than expected with the modification of the code which controls a robotic arm (typical in manufacturing in the automotive industry for example), which could cost millions of dollars’ worth of product defects if not detected. The International Federation of Robotics expects 1.3 million industrial robots to be in use by 2018, which illustrates a potential systemic problem given the vulnerability to cyberattacks.

According to Federico Maggi, one of the researchers involved, “You can change completely what it’s doing to the work piece, introduce defects, stop the production, whatever you want”. (Source: https://www.wired.com/2017/05/watch-hackers-sabotage-factory-robot-arm-afar/)

It is true that there have not been any media reports of recalls stemming from a cyber malicious product tamper yet. But with cyberattacks increasing at an exponential rate it’s only a matter of time until this threat becomes a reality for manufacturers.

Bibliography

https://www.designnews.com/3d-printing/3d-printing-has-urgent-need-cybersecurity/42281071756489

https://qz.com/940825/the-food-industry-has-embraced-smart-technology-which-means-its-incredibly-vulnerable-to-hackers/

https://www.fsis.usda.gov/wps/portal/fsis/topics/recalls-and-public-health-alerts/recall-summaries

http://www.foodqualityandsafety.com/article/cybersecurity-in-food-and-beverage-industry/

https://www.wired.com/2017/05/watch-hackers-sabotage-factory-robot-arm-afar/